The attack called LizaMoon -- after the first fake Website link it added to targeted sites – showed as many as four million pages infected by April 3 with links to 28 URLs redirecting victims to scareware sites warning their computers could be in danger if they refused a free PC scan.

Many were hoping at first the attacks, first detected March 29 but only hitting their real stride April 1, were an April Fool's trick (The scareware in the fake links was called the Windows Stability Center, which I'd normally think was as clear an indication of satire as InfoWorld's annual story about Microsoft adopting Linux.)

In the wake of high-profile attacks everyone screams for better security, which usually means buying more antivirus software and keeping it updated.

LizaMoon and other SQL injection attacks argue for different application design, though, especially for sites or applications based on cloud, virtual-server or web platforms that may be more vulnerable to bogus SQL commands embedded in otherwise standard requests.

“SQL injection has been the primary way that databases have been attacked for years," Josh Shaul, CTO of Application Security, Inc. told the WSJ. "What’s different here is that people are putting the code that runs their Web sites in the database itself. And that’s what’s so troubling. Effectively you’ve exposed your code to an attacker so they can go modify it.”

That argues for the same kind of n-tier design for web applications as for more secure apps designed with web front ends for corporate apps.

Simply put, add a layer of middleware or secure filtering app between the web front end and the database to identify and strip out bogus SQL code.